Saml2pAuthenticationOptions
Licensee string
The licensee value received upon purchase
LicenseKey string
The license key value received upon purchase
ServiceProviderOptions SpOptions
Settings for defining the Service Provider (yourself). See SpOptions
IdentityProviderOptions IdpOptions
Settings for defining the Identity Provider you are integrating with. See IdpOptions
IdentityProviderMetadataAddress string
Sets the address used to automatically retrieve Identity Provider metadata. If this is set and IdpOptions
is null
, then metadata will be automatically retrieved from the address specified and used to configure IdpOptions
. The value must be a http/https URL or a local file that exists on disk. Defaults to null
IdentityProviderMetadataRefreshInterval TimeSpan
The time interval after which a new identity provider configuration will be obtained when using the automatic metadata retriever (See IdentityProviderMetadataAddress
). Must be higher than 5 minutes. Defaults to 12 hours.
SignInScheme string
The authentication scheme to use for signing the user in
SignOutScheme string
The authentication scheme to use when signing the user out
CallbackPath PathString
The path of the SP ACS endpoint. This endpoint is where an IdP will send your application sign-on responses. Defaults to /saml/acs
SignedOutCallbackPath PathString
The path of the SP SLO endpoint. This endpoint is where an IdP will send your application logout requests/responses
ArtifactResolutionService PathString
The path of the SP ARS endpoint. This endpoint is where an IdP will send back-channel requests to your application to resolve artifacts when using urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
protocol binding
IdPInitiatedSsoCompletionPath PathString
Sets the path to return the user to after logging in via IdP-Initiated SSO. If not set, the user will be redirected to the root page
MessageTrustLength TimeSpan
The amount of time to trust incoming SAML messages from their issue date. Defaults to 5 minutes
TimeComparisonTolerance int
Used in time comparison during SAML protocol validation. Allows time comparison checks to be inaccurate by this number of seconds. This can help deal with clock skew issues across servers. Microsoft uses a default setting of 300 seconds, but we recommend using the lowest possible value. Defaults to 0
ProtocolBinding string
Sets the ProtocolBinding
attribute on generated SAML requests, requesting that the IdP use that binding when returning the SAML response. Defaults to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
NameIdClaimType string
Set the claim type of the logged in user's unique identifier (NameID). This claim type will be searched for when generating logout requests and included in the request. Defaults to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
IdPSessionIndexClaimType string
The claim type of the IdP's session index. When null
or empty, SessionIndex will be excluded from logout requests. When set to a value, IdP's session index will be stored in the SignInScheme
during sign-in. It will be searched for in the SignOutScheme
when generating logout requests and included in the request. Defaults to null
RequestedAuthenticationContext RequestedAuthenticationContext
When not null, SAML authentication requests will ask for the user to be authenticated with one of the specified contexts. SAML response validation will ensure that this level of authentication has been met
AllowedIdPs ICollection<string>
An advisory list of identity providers that are deemed acceptable to respond to the authentication request. Defaults to an empty collection.
AllowedIdpInitiatedRelayStates ICollection<string>
The valid RelayState
values for IdP-initiated SSO. Defaults to an empty collection
NameIdPolicy NameIdPolicy
Specifies constraints on the name identifier to be used to represent the requested subject. Defaults to null
which allows the IdP to decide the NameID Format (recommended)
SamlCspOptions SamlCspOptions
The Content Security Policy options. See SamlCspOptions
SigningOptions SigningOptions
The signing options to use when generating SAML message signatures. See SigningOptions
ForceAuthentication bool
Sets the ForceAuthn
attribute on generated SAML requests, requesting that the IdP re-authenticate the user. Defaults to false
AllowIdpInitiatedSso bool
Enables unsolicited SAML responses & assertions to be received by the service provider (aka IdP-Initiated SSO). Defaults to false
IdentityProviderMetadataRequireHttps bool
When true
any attempts to automatically retrieve Identity Provider metadata will be forced to use HTTPS. This can be disabled to allow HTTP during development, but this is not recommended for production. Defaults to true
SkipUnrecognizedRequests bool
Prevents authentication failures upon SAML response validation failure. When true
, many authentication handlers can use the same callback path. Defaults to false
SkipAuthnContextCheck bool
Indicates whether AuthnContext
in response is parsed and validated. When true
, the AuthnContext
in response will not be parsed and validated. This means that the authentication method will not be included in the generated identity claims. Defaults to false
RequireValidMetadataSignature bool
Require IdP metadata to pass signature validation. If false
, signature validation failure will be ignored. Defaults to true
RequireSamlMessageDestination bool
Indicates if the incoming messages must contain a destination. When true
, message validation will fail if the destination is missing. Defaults to true
RequireSignedLogoutRequests bool
Indicates if logout requests must be signed. When true
, incoming logout request validation will fail if the request is not signed. Defaults to false
RequireSignedLogoutResponses bool
Indicates if logout responses must be signed. When true
, incoming logout response validation will fail if the response is not signed. Defaults to false
RequireSignedArtifactResponses bool
Indicates if the received ArtifactResponse messages must be signed. When true
, incoming ArtifactResponse validation will fail if the response is not signed. Defaults to true
RequireSignedArtifactResolveRequests bool
Indicates if the received ArtifactResolve messages must be signed. When true
, incoming ArtifactResolve validation will fail if the request is not signed. Defaults to true
RequireAuthenticatedUserForLogoutRequests bool
Indicates if an authenticated user is required for logout requests. When true
, incoming logout request validation will fail if a user is not currently signed in. Defaults to false
ArtifactDeliveryBindingType string
The binding type to use for sending artifacts. Only urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
and urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
are supported. Defaults to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
ArtifactLifeTime TimeSpan
The amount of time that an artifact is valid, after which the artifact will be marked as expired. Defaults to 5 minutes
ThrowOnLogoutErrors bool
Indicates whether an error should be thrown upon a logout failure. When false
, the authentication handler will return false
instead of throwing an error. Defaults to true
LogSamlMessages bool
Indicates if SAML messages should be logged. Used for debugging only. When true
, SAML messages will be logged as debug messages. Defaults to false
SpOptions
EntityId string
The unique ID of the service provider. This will be used when generating SAML requests and validating incoming SAML responses & assertions
MetadataPath PathString
The path to serve the service provider's metadata document. Defaults to /saml
MetadataOptions ServiceProviderMetadataOptions
Configuration for the SP metadata document. Allows for the setting of caching instructions, AttributeConsumingServices and organization and contact details
SignAuthenticationRequests bool
When true
, the service provider will always sign generated requests. Defaults to false
SigningCertificate X509Certificate2
The private key with which to sign generated requests
ValidationCertificates ICollection<X509Certificate2>
A collection of all public keys that can be used to validate SAML messages generated by the service provider. These certificates will be included in the service provider metadata document allowing you to perform signing key rollover
EncryptionCertificate X509Certificate2
The private key with which to decrypt incoming SAML assertions
RequireEncryptedAssertions bool
Indicates if assertions in an incoming sign-on response must be encrypted. When true
, sign-on response validation will fail if the response does not contain encrypted assertions. Defaults to false
WantAssertionsSigned bool
Indicates if assertions in an incoming sign-on response must be signed. When true
, sign-on response validation will fail if the response does not contain signed assertions. Defaults to false
IdpOptions
EntityId string
The unique ID of the identity provider. This will be used to validate incoming SAML responses & assertions
SingleSignOnEndpoint SamlEndpoint
The identity provider's single sign on endpoint to use for SSO. This is the endpoint where the authentication requests will be sent to
SingleLogoutEndpoint SamlEndpoint
The identity provider's single logout endpoint to use for SLO. This is the endpoint where the logout requests/responses will be sent to.
ArtifactResolutionEndpoint SamlEndpoint
The identity provider's Artifact Resolution endpoint to use for resolving SAML Artifacts when using HTTP-Artifact Binding. Only the Soap binding is supported.
SigningCertificates ICollection<X509Certificate2>
The identity provider's public keys that will be used to validate incoming SAML responses and assertions
SamlCspOptions
Level SamlCspLevel
The minimum CSP level. Defaults to SamlCspLevel.Two
AddDeprecatedHeader bool
Indicates if the deprecated X-Content-Security-Policy header should be added. Defaults to true
SigningOptions
CanonicalizationMethod string
The Canonicalization method. Defaults to http://www.w3.org/2001/10/xml-exc-c14n#
DigestAlgorithm string
The Digest algorithm. Defaults to http://www.w3.org/2001/04/xmlenc#sha256
SignatureAlgorithm string
The Signature algorithm. Defaults to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256